Описание
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Ссылки
- Patch
- Patch
- Patch
- Patch
- Patch
- Patch
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
EPSS
10 Critical
CVSS3
9.8 Critical
CVSS3
Дефекты
Связанные уязвимости
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
Уязвимость плагина GiveWP системы управления содержимым сайта WordPress, связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код
EPSS
10 Critical
CVSS3
9.8 Critical
CVSS3